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1 . In response to amendment filed on 3 1 July 2006 and Interview on 1 1 October 2006, the 
amendment to the claims is accepted. 

2. An examiner's amendment to the record is attached. Please enter entire claim set. Should 
the changes and/or additions be unacceptable to applicant, an amendment may be filed as 
provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. The examiner's amendment to amends 
claims 23 and 37; was authorized by attorney of record Lawrence D. Eisen in phone interview on 
1 1 October 2006. 

Reasons for Allowance 

3. Claims 23-30, 33-44, and 47-50 are allowed over the prior art of record. 

The following is a statement of reasons for the indication of allowable subject matter: 
In interpreting the claims in light of the specification and applicant's argument, the 

Amendment filed 7/3 1/2006, as well as attached Examiner's Amendment. Examiner finds the 

claimed invention is patentable distinct from the prior art of record. 

The prior arts of record, Munson introducing a dynamic intrusion detection system, 

Botros introducing a method for training neural network models for use in a intrusion detection 

system. 

The prior art of record, Munson or Botros fail to anticipate or render Applicant's 

particular feature that 

"and based upon a machine learning algorithm, wherein the machine learning 
algorithm employs a string distance metric, other than string matching, for 
preprocessing its inputs during learning, wherein a string is defined as a sequence of 
symbols and string distance metric is based on at least one of events common to two 
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strings and the difference in positions of common events, and the string distance 
metric is used to measure the distance from an input string to each of several 
exemplar strings" 

The dependent claims, being further limiting to the independent claims, defined and 
enabled by the Specification are also allowed. 

4. Any comments considered necessary by applicant must be submitted no later than the 
payment of the issue fee and, to avoid processing delays, should preferably accompany the issue 
fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for 
Allowance". 

5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ellen C Tran whose telephone number is 

(571) 272-3842. The examiner can normally be reached from 8:30 am to 5:00 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Jacques H. Louis- Jacques can be reached on (571) 272-6962. The fax phone number for the 
organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
Ellen. Tran 

Patent Examiner NASSER MOAZZAMI 

Torhnnlnw Center 7 1 1d SUPERVISORY PATENT EXAMINER 

Technology Center 2134 TECHNOLOGY CENTER 2100 

03 October 2006 - 

IO/ll/ ofe 
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EXAMINER'S AMENDMENT: 

This listing of claims replaces all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1 - 22 Canceled 

23. (Currently Amended) A detection system for detecting intrusive behavior in a 
session on a computer during an application monitoring phase, said session comprising a 
plurality of applications invoked on said computer, and said computer having a computer 
operating system, said detection system comprising: 

(a) a plurality of trained neural networks, wherein each trained neural network has 
previously been trained during a training phase to identify a pre-determined behavior pattern for 
a corresponding one of the plurality of applications, and wherein each trained neural network is 
selected for use in the application monitoring phase based upon performance during a testing 
phase and based upon a machine learning algorithm, wherein the machine learning algorithm 
employs a string distance metric, other than string matching, for preprocessing its inputs during 
learning, wherein a string is defined as a sequence of symbols and the string distance metric is 
based on at least one of events common to two strings and/ef the difference in positions of 
common events, and the string distance metric is used to measure the distance from an input 
string to each of several exemplar strings; 

(b) a plurality of application profiles, wherein each application profile comprises a 
plurality of application data for a corresponding one of the plurality of applications, wherein 
said application data is collected during the session; 
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(c) a temporal locality identifier, wherein when one of the plurality of application profiles 
is sequentially input to a corresponding one of the plurality of trained neural networks the trained 
neural network outputs a behavior indicator for each of the plurality of data strings in the 
application profile; and wherein if the behavior indicator meets a pre-determined criteria, a 
counter is incremented, and wherein if the counter has a high rate of increase the temporal 
locality identifier labels the application behavior intrusive, and wherein if a predetermined 
percentage of application behaviors are intrusive the session behavior is labeled intrusive. 

24. (Original) The detection system of claim 23, wherein the pre-determined behavior 
pattern comprises a non-intrusive behavior. 

25. (Previously Presented) The detection system of claim 23, wherein the application 
data comprises a distance between a sequential mapping of system calls made by a 
corresponding one of the plurality of applications and a pre-defined string of system calls. 

26. (Previously Presented) The detection system of claim 23, wherein the application 
data comprises a distance between a sequential mapping of object requests made by a 
corresponding one of the plurality of applications and a pre-defined string of object requests. 

27. (Original) The detection system of claim 23, wherein the plurality of application 
profiles is created by a data pre-processor application. 

28. (Original) The detection system of claim 27, wherein the data pre-processor 
receives input from an auditing system integral to the computer operating system. 

29. (Original) The detection system of claim 27, wherein the data pre-processor creates 
the plurality of second application profiles in real-time. 
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30. (Original) The detection system of claim 27, wherein the plurality of trained 
neural networks receive input from the plurality of application profiles in real-time. 

31. (Canceled) 

32. (Canceled) 

33. (Previously Presented) The detection system of claim 23, wherein the plurality 
of trained neural networks comprises a plurality of backpropogation neural networks. 

34. (Previously Presented) The detection system of claim 33, wherein each 
backpropogation neural network in the plurality of backpropogation neural networks 
comprises an input layer, a hidden layer and an output layer. 

35. (Previously Presented) The detection system of claim 34, wherein a number of 
nodes in the hidden layer is determined by testing a plurality of cases for each backpropogation 
neural network in the plurality of backpropogation neural networks and selecting the 
backpropogation neural network having a highest accuracy rate during the testing phase for use 
in application monitoring. 

36. (Previously Presented) The detection system of claim 23, wherein the plurality of 
trained neural networks comprises a plurality of recurrent neural networks. 

37. (Currently Amended) A method for detecting intrusive behavior in a session on a 
computer during an application monitoring phase, said session comprising a plurality of 
applications invoked on said computer, and said computer having a computer operating system, 
said method comprising the steps of: 
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(a) training a plurality of neural networks during a training phase, wherein each neural 
network is trained to identify a pre-determined behavior pattern for a corresponding one of the 
plurality of applications; 

(b) selecting for use one or more trained neural networks based upon performance 
during a testing phase and based upon a machine learning algorithm, wherein the machine 
learning algorithm employs a string distance metric, other than string matching, for 
preprocessing its inputs during learning, wherein a string is defined as a sequence of symbols 
and the string distance metric is based on at least one of events common to two strings and/or the 
difference in positions of common events, and the string distance metric is used to measure the 
distance from an input string to each of several exemplar strings; 

(c) creating a plurality of application profiles, wherein each application profile 
comprises a plurality of application data for a corresponding one of the plurality of applications, 
wherein said application data is collected during the session; 

(d) performing a temporal locality identifying algorithm, wherein when one of the 
plurality of application profiles is sequentially input to a corresponding one of the plurality of 
trained neural networks the trained neural network outputs a behavior indicator for each of the 
plurality of data strings in the application profile, and wherein if the behavior indicator meets a 
pre-determined criteria, a counter is incremented, and wherein if the counter has a high rate of 
increase the temporal locality identifier labels the application behavior intrusive, and wherein if 
a predetermined percentage of application behaviors are intrusive the session behavior is 
labeled intrusive. 
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38. (Original) The method of claim 37, wherein the pre-determined behavior pattern 
comprises a non-intrusive behavior. 

39. (Previously Presented) The method of claim 37, wherein the application data 
comprises a distance between a sequential mapping of system calls made by a corresponding one 
of the plurality of applications and a pre-defined string of system calls. 

40. (Previously Presented) The method of claim 37, wherein the application data 
comprises a distance between a sequential mapping of object requests made by a corresponding 
one of the plurality of applications and a pre-defined string of object requests. 

41. (Original) The method of claim 37, wherein the plurality of application profiles 
is created by a data pre-processor application. 

42. (Original) The method of claim 41, wherein the data pre-processor receives 
input from an auditing system integral to the computer operating system. 

43. (Original) The method of claim 41, wherein the data pre-processor creates the 
plurality of second application profiles in real-time. 

44. (Original) The method of claim 41, wherein the plurality of trained neural 
networks receive input from the plurality of application profiles in real-time. 

45. (Canceled) 

46. (Canceled) 

47. (Previously Presented) The method of claim 37, wherein the plurality of trained 
neural networks comprises a plurality of backpropogation neural networks. 
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48. (Previously Presented) The method of claim 37, wherein each 
backpropogation neural network in the plurality of backpropogation neural networks comprises 
an input layer, a hidden layer and an output layer. 

49. (Previously Presented) The method of claim 48, wherein a number of nodes in 
the hidden layer is determined by testing a plurality of cases for each backpropogation neural 
network in the plurality of backpropogation neural networks and selecting the case wherein the 
corresponding neural network has a highest accuracy rate. 

50. (Previously Presented) The method of claim 37, wherein the plurality of trained 
neural networks comprises a plurality of recurrent neural networks. 


